ISO 9001, CMMI and ISO 27001

Both CMMI and ISO 9001 aim at improving process quality. The fundamental difference between CMMI vs ISO 9001 is conceptual. CMMI is a process model and ISO 9001 is an audit standard.

CMMI is a set of related "best practices" derived from industry leaders and relates to product engineering and software development. Businesses receive CMMI ratings from Level 1 to Level 5 depending upon the extent of compliance to key performance areas specified in the selected CMMI process area.

ISO 9001 is a certification tool that certifies businesses whose processes conform to the laid down standards. Implementing ISO 9001 doesn't mean that you are compliant with CMMI, although it can be a good foundation for implementing CMMI.

What is your advice on implementing an enterprise quality assurance framework, in a nut shell? Does it sound correct, if I propose that use ISO 9001:2015 as overarching quality assura nce framework, where apply ISO 27001 for its information security?

ISO 9001 and ISO 27001 have their own purposes, ISO 9001 deals with quality while ISO 27001 is focusing on information security. They are complementary and can be implemented and maintained together as an integrated management system. For more information, see: How to integrate ISO 9001 and ISO 27001 https://advisera.com/9001academy/blog/2016/09/27/how-to-integrate-iso-9001-and-iso-27001/